Windows 10: Turn On or Off BitLocker for Operating System Drive in Windows 10  

Page 1 of 2 12 LastLast
    Turn On or Off BitLocker for Operating System Drive in Windows 10

    Turn On or Off BitLocker for Operating System Drive in Windows 10

    How to Turn On or Off BitLocker for Operating System Drive in Windows 10
    Published by Category: Security System
    14 Mar 2017
    Designer Media Ltd

    Published by


    Brink's Avatar
    Administrator

    Posts: 19,017

    Show Printable Version 


    How to Turn On or Off BitLocker for Operating System Drive in Windows 10

    information   Information
    You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

    New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they're automatically decrypted.

    BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

    BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you'll need a special BitLocker recovery key to unlock it.

    You can choose how to unlock the operating system drive when you turn on your PC with a TPM, password, or startup key on a connected USB flash drive.

    This tutorial will show you how to turn on or off BitLocker to encrypt or decrypt the operating system drive with or without a TPM in Windows 10.

    Note   Note
    You must be signed in as an administrator to be able to use BitLocker on the operating system drive.

    BitLocker Drive Encryption is only available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.


    CONTENTS:
    • Option One: To Turn On BitLocker for Operating System Drive in BitLocker Manager
    • Option Two: To Turn Off BitLocker for Operating System Drive in BitLocker Manager
    • Option Three: To Turn Off BitLocker for Operating System Drive in Command Prompt
    • Option Four: To Turn Off BitLocker for a Operating System Drive in PowerShell



    EXAMPLE: Enter password at startup to unlock OS drive encrypted by BitLocker
    Click image for larger version. 

Name:	BitLocker_Password.png 
Views:	712 
Size:	15.1 KB 
ID:	58312






    Turn On or Off BitLocker for Operating System Drive in Windows 10 OPTION ONE Turn On or Off BitLocker for Operating System Drive in Windows 10
    To Turn On BitLocker for Operating System Drive in BitLocker Manager

    1. If you like, set a default encryption method (XTS-AES or AES-CBC) and cipher strength (128 bit or 256 bit) you want used by BitLocker. BitLocker Drive Encryption uses AES-CBC 128 bit by default for operating system drives.

    2. Do step 3 (TPM), step 4 (TPM with options) , or step 5 (Without TPM - password or USB) below for how you want to unlock the OS drive at startup.


     3. To Automatically Unlock Operating System Drive at Startup with TPM

    Note   Note
    This option requires that your PC has a TPM chip on it.


    A) No need to do anything else. Go to step 6 below.


     4. To Unlock Operating System Drive at Startup with Configured TPM Settings

    Note   Note
    This option requires that your PC has a TPM chip on it.

    On a PC with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the PC starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit PIN, or both.


    A) Open the Local Group Policy Editor.

    B) In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

    Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives

    Click image for larger version. 

Name:	Bit_Locker_OS_without_TPM-1.png 
Views:	1907 
Size:	83.2 KB 
ID:	58310

    C) In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Require additional authentication at startup policy to edit it. (see screenshot above)

    D) Select Enabled at the top, and uncheck the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box under Options. (see screenshot below)

    E) Select the setting you want for computers with a TPM, click/tap on OK, and go to step 6 below. (see screenshot below)

    Click image for larger version. 

Name:	Bit_Locker_OS_with_TPM-3.png 
Views:	1741 
Size:	100.3 KB 
ID:	58309


     5. To Unlock Operating System Drive at Startup with Password or USB flash drive

    Note   Note
    This option is used when you don't want to use or have a TPM chip on your PC.

    Allowing BitLocker without a TPM will require to unlock the operating system drive at startup with either a password or startup key on a USB flash drive.


    A) Open the Local Group Policy Editor.

    B) In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

    Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives

    Click image for larger version. 

Name:	Bit_Locker_OS_without_TPM-1.png 
Views:	1907 
Size:	83.2 KB 
ID:	58310

    C) In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Require additional authentication at startup policy to edit it. (see screenshot above)

    D) Select Enabled at the top, check the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box under Options, and go to step 6 below. (see screenshot below)

    Click image for larger version. 

Name:	Bit_Locker_OS_without_TPM-2.png 
Views:	1241 
Size:	74.4 KB 
ID:	58311


    6. Do step 7, step 8, or step 9 below for how you would like to manage BitLocker.

    7. Right click or press and hold on the operating system drive (ex: C: ) you want to encrypt, click/tap on Turn on BitLocker, and go to step 10 below. (see screenshot below)

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-1.png 
Views:	508 
Size:	108.2 KB 
ID:	58320

    8. Select the operating system drive (ex: C: ) you want to encrypt, click/tap on the "Drive Tools" Manage tab, click/tap on the BitLocker button in the ribbon, click/tap on Turn on BitLocker, and go to step 10 below. (see screenshot below)

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-2.png 
Views:	834 
Size:	102.5 KB 
ID:	58321

    9. Open the Control Panel (icons view), and click/tap on the BitLocker Drive Encryption icon.

    A) Expand open the operating system drive (ex: C: ) you want to encrypt under Operating system drives, click/tap on Turn on BitLocker, and go to step 10 below. (see screenshot below)

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-3.png 
Views:	241 
Size:	84.2 KB 
ID:	58322

    10. Choose how (USB, TPM, or password) you want to unlock the operating system drive at startup. (see screenshots below)
    Note   Note
    Let BitLocker automatically unlock my drive = This option is only available if your PC has a TPM, and you did step 3 above.

    Insert USB flash drive = This option allows you to unlock the operating system drive with a connected USB flash drive with the startup key saved on it, but is only available if you did step 4 or step 5 above.

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-4a.png 
Views:	268 
Size:	41.5 KB 
ID:	58324

    Enter a password = This option allows you to unlock the operating system drive with a password, but is only available if you did step 5 above.

    Name:  Turn_On_BitLocker_for_OS_drive-4c.png
Views: 44388
Size:  14.3 KB

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-4.png 
Views:	271 
Size:	55.5 KB 
ID:	58323
    Name:  Turn_On_BitLocker_for_OS_drive-4b.png
Views: 45155
Size:  17.1 KB

    11. Select how (Microsoft account, USB, file, and/or print) you want to back up your BitLocker recovery key for this drive, and click/tap on Next when finished. (see screenshot below)

    Name:  Turn_On_BitLocker_for_OS_drive-5.png
Views: 44284
Size:  20.9 KB

    Note   Note
    Microsoft account = This option is only available when you are signed in to Windows 10 with a Microsoft account. It will save the BitLocker recovery key to your OneDrive account online at https://onedrive.live.com/recoverykey.

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-5a.png 
Views:	257 
Size:	52.9 KB 
ID:	58328

    USB flash drive = This option will save the BitLocker recovery key to a selected USB flash drive.

    Name:  Turn_On_BitLocker_for_OS_drive-5e.png
Views: 44294
Size:  9.0 KB

    File = This option will save the BitLocker recovery key .TXT file to a location you select.

    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-5b.png 
Views:	208 
Size:	27.6 KB 
ID:	58329
    Name:  Turn_On_BitLocker_for_OS_drive-5c.png
Views: 44213
Size:  9.2 KB

    Print = This option will print the BitLocker recovery key to the selected printer.

    Name:  Turn_On_BitLocker_for_OS_drive-5d.png
Views: 44166
Size:  19.8 KB


    12. Select (dot) how much of your drive to encrypt right now, and click/tap on Next. (see screenshot below)
    Note   Note
    It is recommended to select Encrypt entire drive.


    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-6.png 
Views:	210 
Size:	99.9 KB 
ID:	58332

    13. Select (dot) which encryption mode to use, and click/tap on Next. (see screenshot below)
    Note   Note
    If you did step 1 above to set a default encryption method and cipher strength, then you will not have this setting available since BitLocker will use what you set in step 1 instead.


    New encryption mode (XTS-AES 128-bit) = Select this mode if this is a fixed drive or if this drive will only be used on devices running at least Windows 10 (version 1511) or later.

    Compatible mode (AES-CBC 128-bit) = Select this mode if this is a removable drive that you're going to use on an older version of Windows (ex: Vista, Windows 7, or Windows 8/8.1).


    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-7.png 
Views:	349 
Size:	103.3 KB 
ID:	58333

    14. Uncheck the Run BitLocker system check box, and click/tap on Continue when ready to start encrypting. (see screenshot below)
    warning   Warning
    DO NOT check the Run BitLocker system check box. If you do, it will corrupt the boot drive, cause Windows to no longer boot, and you will not be able to recover the OS drive.


    Click image for larger version. 

Name:	Turn_On_BitLocker_for_OS_drive-8.png 
Views:	274 
Size:	94.1 KB 
ID:	58334

    15. The operating system drive will now start encrypting. (see screenshot below)
    Note   Note
    This could take a long time to finish depending on the size of the drive and how much data on the drive is being encrypted.


    Name:  Turn_On_BitLocker_for_OS_drive-9.png
Views: 43990
Size:  72.4 KB

    16. When encryption has finished, click/tap on Close. (see screenshot below)

    Name:  Turn_On_BitLocker_for_OS_drive-10.png
Views: 43964
Size:  15.8 KB






    Turn On or Off BitLocker for Operating System Drive in Windows 10 OPTION TWO Turn On or Off BitLocker for Operating System Drive in Windows 10
    To Turn Off BitLocker for Operating System Drive in BitLocker Manager

    1. If you have not already, unlock the removable data drive encrypted by BitLocker.

    2. Do step 3, step 4, or step 5 below for how you would like to manage BitLocker.

    3. Right click or press and hold on the encrypted operating system drive (ex: C: ), click/tap on Manage BitLocker, and go to step 6 below. (see screenshot below)

    Click image for larger version. 

Name:	Turn_Off_BitLocker_for_OS_drive-1.png 
Views:	698 
Size:	76.9 KB 
ID:	58314

    4. Select the encrypted operating system drive (ex: C: ), click/tap on the "Drive Tools" Manage tab, click/tap on the BitLocker button in the ribbon, click/tap on Manage BitLocker, and go to step 6 below. (see screenshot below)

    Click image for larger version. 

Name:	Turn_Off_BitLocker_for_OS_drive-2.png 
Views:	371 
Size:	76.5 KB 
ID:	58315

    5. Open the Control Panel (icons view), click/tap on the BitLocker Drive Encryption icon, and go to step 6 below.

    6. Expand open the encrypted C: BitLocker on drive under Operating system drive, and click/tap on Turn off BitLocker. (see screenshot below)

    Click image for larger version. 

Name:	Turn_Off_BitLocker_for_OS_drive-3.png 
Views:	1571 
Size:	42.6 KB 
ID:	58316

    7. Click/tap on Turn off BitLocker to confirm. (see screenshot below)

    Name:  Turn_Off_BitLocker_for_OS_drive-4.png
Views: 43926
Size:  7.2 KB

    8. The operating system drive will now start decrypting. (see screenshot below)

    Name:  Turn_Off_BitLocker_for_OS_drive-5.png
Views: 43923
Size:  55.8 KB

    9. When decryption has finished, click/tap on Close. (see screenshot below)

    Name:  Turn_Off_BitLocker_for_OS_drive-6.png
Views: 43919
Size:  8.1 KB






    Turn On or Off BitLocker for Operating System Drive in Windows 10 OPTION THREE Turn On or Off BitLocker for Operating System Drive in Windows 10
    To Turn Off BitLocker for Operating System Drive in Command Prompt

    1. Open an elevated command prompt.

    2. Type the command below in the elevated command prompt, and press Enter. (see screenshot below)


    manage-bde -off <drive letter>:

    Note   Note
    Substitute <drive letter> in the command above with the actual drive letter of the encrypted drive you want to decrypt.

    For example: manage-bde -off C:

    Tip   Tip
    You can check the status of BitLocker for the drive at anytime.


    Click image for larger version. 

Name:	Turn_off_BitLocker_command.png 
Views:	333 
Size:	17.5 KB 
ID:	58313






    Turn On or Off BitLocker for Operating System Drive in Windows 10 OPTION FOUR Turn On or Off BitLocker for Operating System Drive in Windows 10
    To Turn Off BitLocker for a Operating System Drive in PowerShell

    1. Open an elevated Powershell.

    2. Type the command below in the elevated PowerShell, and press Enter. (see screenshot below)


    Disable-BitLocker -MountPoint "<drive letter>:"

    Note   Note
    Substitute <drive letter> in the command above with the actual drive letter of the encrypted drive you want to decrypt.

    For example: Disable-BitLocker -MountPoint "F:"

    Tip   Tip
    You can check the status of BitLocker for the drive at anytime.


    Click image for larger version. 

Name:	Turn_off_BitLocker_PowerShell.png 
Views:	289 
Size:	21.0 KB 
ID:	59000



    That's it,
    Shawn


    Related Tutorials



  1.    06 Feb 2016 #1

    What is the reason for option 1 step 14? I ran the bitlocker system check with no issues in build 10586 and it definitely should work...

    If you have set a pin to unlock (and allowed alphanumeric pins in Group policy) it is recommended. Reason is not all BIOS let you use full keyboard so you might define a PIN you can't enter at boot time.

    Note   Note
    To use enhanced PINs, your computer's BIOS must support using the full keyboard in the pre-boot environment. Users can run the optional system check during the BitLocker setup process to ensure the PIN can be entered correctly in the pre-boot environment. You should verify that the computers in your organization are compatible before making the use of enhanced PINs an organizational requirement.
    BitLocker Drive Encryption in Windows 7: Frequently Asked Questions
      My ComputerSystem Spec

  2. Brink's Avatar
    Posts : 19,017
    64-bit Windows 10 Pro build 15063
       06 Feb 2016 #2

    Hello lx07,

    I recommended step 14 in OPTION ONE because of what's in the red warning box under that step.

    Too many people, including myself, had the computer no longer be able to boot into Windows if selected to do the check, and I ended up having to reinstall Windows because it couldn't unlock the OS drive even with the recovery key. The odd thing is that it's not suppose to be encrypted yet, but is still locked out.

    When not using the check, BitLocker proceeded and worked fine.

    I'm not sure if it's an UEFI issue or what yet causing that, so I added that as a precaution to help others avoid the same.
      My ComputersSystem Spec

  3.    10 May 2016 #3

    Can't do a clean install of Win10 as Drive 0 Partition 4 locked


    Following advice on another thread I attempted a clean install of Windows 10 as my HDD had become fragmented with numerous spurious partitions that were eating up space unnecessarily. The process went well until Windows created the four partitions and I tried to install Windows on Drive 0 Partition 4, when Windows gave a message:

    "Windows can't be installed on Drive 0 Partition 4. Bitlocker Drive Encryption is enabled on the selected partition. Suspend Bitlocker in the Control Panel then restart installation."

    I had no idea that the HDD was locked with Bitlocker and the Clean Install tutorial on the forum gave no warning that this could be a problem. As Windows and the Recovery partitions have been deleted this is not an option.

    How can I solve this and get Windows reinstalled short of replacing the HDD?
      My ComputerSystem Spec

  4.    10 May 2016 #4
      My ComputerSystem Spec

  5. Brink's Avatar
    Posts : 19,017
    64-bit Windows 10 Pro build 15063
       10 May 2016 #5

    Hello Exspextations,

    You should be able to delete all partitions on the disk at boot during Windows Setup to do a clean install of Windows 10 on the disk even if it was encrypted with BitLocker.

    When you delete or format a disk, it removes BitLocker protection.
      My ComputersSystem Spec

  6.    10 May 2016 #6

    Brink said: View Post
    Hello Exspextations,

    You should be able to delete all partitions on the disk at boot during Windows Setup to do a clean install of Windows 10 on the disk even if it was encrypted with BitLocker.

    When you delete or format a disk, it removes BitLocker protection.
    Umm. If that is the case, not sure what happened when I did this then, but I have managed to get round the problem as follows:

    After setting my Bios to legacy boot I was able to boot from the USB recovery disk. However when I ran the install I still had the Bitlocker problem after deleting all the partitions. As I had nothing to loose, after deleting all the partitions created on the previous attempt to install Windows I clicked the 'new' button which created a 500 MB Drive 0 Partition 1: System Reserved partition and a Drive 0 Partion 2, which when selected allowed me to proceed and successfully install Windows. However, this was not the 4 partition configuration that the Windows installation is supposed to have so I decided to do a fresh clean install after deleting the two partitions to obtain the required configuration. This produced the same 2 partition configuration rather than the 450 recovery partition, 100 MB EFI system partition and 16 MB MSR partition with the rest as the C: drive. Not sure why my installation is different or why it is different from that expected, but at least it works.

    One final question: Bitlocker is not shown in the control panel of Window 10 an doesn't appear to be a function of WIndows 10 Home - so not sure why my disk was encrypted in the first place, but should I encrypt the C:\ drive after the clean install?
      My ComputerSystem Spec

  7. Brink's Avatar
    Posts : 19,017
    64-bit Windows 10 Pro build 15063
       10 May 2016 #7

    When you used the "new" route on the unallocated disk, it would have formatted the disk to remove BitLocker. Afterwards, you would have been able to do a clean install as usual.

    Windows 10 Home doesn't include being able to encrypt a drive with BitLocker, so I'm not sure what encrypted the drive. You don't have to worry about encrypting it again afterwards since using BitLocker is not an option. If you wanted to encrypt, you could use 3rd party software to do so though.
      My ComputersSystem Spec

  8.    29 Jul 2016 #8

    Hi Shawn,

    1. Is this also possible in an environment with corporate dropbox?
    Can I implement this with a first client encrypting the full disk with the shared dropbox folder without losing access to the dropbox data on other clients?
    2.Is this also possible for file servers?

    Love to hear what you have to say.

    Kind regards,

    Martijn
      My ComputerSystem Spec

  9. Brink's Avatar
    Posts : 19,017
    64-bit Windows 10 Pro build 15063
       29 Jul 2016 #9

    Hello Martijn, and welcome to Ten Forums.

    I'm not sure how it would be behave for that, but it may be best to keep shares on non encrypted locations to avoid any possible access restrictions.
      My ComputersSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Have Bitlocker Prompt for Password on Non-System Drive in AntiVirus, Firewalls and System Security
I am running Windows 10 Pro. I am using BitLocker on a non-system drive and not on my system drive. I am not planning on using it on my system drive. I do not have a TPM compatible computer. Once I log into Windows, I would like to be prompted...
How to Turn On or Off BitLocker for Removable Data Drives in Windows 10 You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to...
Solved How to Use Bitlocker on Only Non System Drive and without TPM in AntiVirus, Firewalls and System Security
I want to use Bitlocker on my Non System E Drive without TPM. I read somewhere to do the following for without TPM: " Under Local Computer Policy navigate to Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker...
Installation & Upgrade Change Operating System Name at Startup in Windows 10 in Tutorials
How to Change Operating System Name at Startup in Windows 10 If you have more than one operating system installed on your PC, then you will see a Choose an operation system (Windows Boot Manager) screen at startup with the name (description) of...
Will Microsoft release a windows 10 32 bit operating system? The reason I ask this it is not clear. If Microsoft is not going to release a 32 bit operating system for windows 10, I will be wasting my time testing windows 10. The reason is...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 23:15.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums